How do you enable PGP encryption in Panther Mail?

D

Dalbot

Registered
I just can't get it to work even though I followed Mail Help's instructions:

A private key, which is created and stored on your computer when you first obtain a certificate. It is protected by your keychain, and should not be disclosed to anyone.

To encrypt an email message, you must have a certificate for each of the message's recipients. The public key in each certificate is used to encrypt the message for that recipient. If you don't have a certificate for even a single recipient, the message cannot be encrypted. The recipient's software uses the recipient's private key, which remains on that person's computer, to decrypt the message.

You can get someone's certificate if that person sends you a digitally signed or encrypted message, since that person's certificate is automatically included in such messages. When you receive one of these messages, Mail automatically stores this person's certificate in the keychain.

Once you have a signing certificate for your mail account stored in your keychain, additional buttons appear in the Compose window, allowing you to digitally sign or encrypt a message
Click to expand...

I sent myself a digitally signed and encrypted email message using PGP Mail in Jaguar. I booted into Panther and checked my email with Mail. It received the message but did not recognize my digital signature or add it to my keychain. It doesn't work as Apple claims it does in Mail's Help. Pretty stupid to add this feature and the conceal how to make it work. Why not just add Mail encryption by default (turn it on via Mail prefs)?
 
It seems that Panther's Mail does not have a PGP help file for the German language... (?) At least not in 7B85... Can you copy the _whole_ thing it says about PGP?

(I've never used PGP in my whole life but would like to start now with Panther's Mail.app... It would be useful to me to know where to start and how...)
 
Originally posted by fryke
It seems that Panther's Mail does not have a PGP help file for the German language... (?) At least not in 7B85... Can you copy the _whole_ thing it says about PGP?
Click to expand...

About encryption and digital signatures

You can use Mail to send secure email messages. They are encrypted and digitally signed by you, using public-key cryptography.

Cryptography is the process of writing in or deciphering secret code. It has become one of the main tools for privacy, trust, access control, electronic payments, and corporate security. Encryption is the encoding of the contents of a message to hide the message contents from outsiders. Decryption is the process of retrieving the original message. A key must be used to encrypt and decrypt the message.

Public-key cryptography was developed because of the limitations of traditional cryptography, in which the sender and receiver had to know and use the same key. If the sender and receiver are in different physical locations, they must trust a phone system or courier, or some other transmission medium, to prevent the disclosure of the secret key. If the key is intercepted, the message can be compromised.

In public-key cryptography, each person gets a pair of keys, a public key and a private key. The public key is published, but the private key is kept secret. The sender and receiver do not share secret information, and no private keys are ever transmitted. Messages are sent using public information, but can only be decrypted with a private key.

If you want to send a secure message to someone, you look up that person's public key in a directory, and use it to encrypt and send the message. Recipients use their private keys to decrypt and read the message.

If you want to digitally sign a message, Mail performs a computation using your private key and the message. The output is called a "digital signature" and is attached to the message. Your recipient can verify the signature using a computation involving the message, the signature, and your public key (which is automatically included as part of the message). Not only does this verify that the message came from you, it also verifies that the message has not been altered since it was sent by you to the recipient.

Encrypting and signing a message in Mail

In Mail, you need the following to create digital signatures:

A signing certificate, including your public key, which identifies you. It's a bit like your name and phone number in a public directory. Other people can communicate with you if they know your public key. Every time you sign a message, your signing certificate is included with the message. The presence of the certificate in the message, with the public key, permits the recipient to verify your digital signature.

A private key, which is created and stored on your computer when you first obtain a certificate. It is protected by your keychain, and should not be disclosed to anyone.

To encrypt an email message, you must have a certificate for each of the message's recipients. The public key in each certificate is used to encrypt the message for that recipient. If you don't have a certificate for even a single recipient, the message cannot be encrypted. The recipient's software uses the recipient's private key, which remains on that person's computer, to decrypt the message.

You can get someone's certificate if that person sends you a digitally signed or encrypted message, since that person's certificate is automatically included in such messages. When you receive one of these messages, Mail automatically stores this person's certificate in the keychain.

Once you have a signing certificate for your mail account stored in your keychain, additional buttons appear in the Compose window, allowing you to digitally sign or encrypt a message.

If you type an email address for which a certificate can be found in the keychain, Mail automatically enables the Encrypt button.

Click Encrypt to encrypt the message for all recipients. You must have a certificate (with the public key) for all recipients. If you don't, you see a dialog that allows you to either cancel the delivery of the message or send the message unencrypted.

Click Sign to digitally sign the message for all recipients of the message.
When you receive a message that has been encrypted, a security header marked "Encrypted" with a lock appears.
When you receive a message that has been signed, a security header appears marked "Signed" with a checkmark appears.

When you receive an encrypted message from someone, you can index the encrypted message so you can search it just as you would search any unencrypted message, or leave it encrypted for security reasons. Choose Mail > Preferences and click General. Leave the option unchecked to bypass indexing.
Click to expand...
 
I think I figured it out, but it's been a pain in the ass.

Apparently, Panther Mail only supports the S/MIME security standard. So PGP keys don't work. You need to obtain a S/MIME certificate from a Certificate Authority. Almost all of them charge for a S/MIME certificate. You can obtain a free, limited S/MIME certificate from http://www.thawte.com/. Mine is currently pending so I haven't had a chance to test it out.

Read more about S/MIME here:

http://www.sanbeiji.com/blog/article.php?articleNum=91
 
There's still MacGPG (the GNU version of PGP, I think, in some way). It has a Mail.app plugin afaik. But as I've said: I've never used it... :/

Here's a call: Apple should make security REALLY easy to grasp, i.e.: On first opening Mail.app, it should ask you whether you want to use GPG (or their S/MIME, whatever) and then create everything for you (asking for passphrases and random input etc., of course for security reasons). After that you'd be set up and can publish your public key. But hey, what do I know...
 
How do you request a certificate? None of the browsers I've tried will work on the Mac: Safari 1.1, IE Mac, Camino.

IE on a PC will work.
 
Originally posted by Captain Code
How do you request a certificate? None of the browsers I've tried will work on the Mac: Safari 1.1, IE Mac, Camino.

IE on a PC will work.
Click to expand...

Only Mozilla worked for me and I had to add the certificate to Mozilla's security preferences. It then becomes available for use with Mozilla's mail module. After that, I sent myself a signed email. Mail app recognized the signed certificate, but I still couldn't get encryption to work.

I've given up for the time being. I'm going to wait until Panther ships. Hopefully someone over at O'Reilly.com will write a tutorial about using Mail's encryption scheme, which, if you ask me, is not very impressive. They should've just built-in a PGP-like encryption scheme that you enable via preferences.
 
I got my certificate from thawte, too. You have to export it from Mozilla (via preferences -> security -> cerfiticates -> backup) to your harddisk. You will be ask for your password(s). This should give a file with suffix ".p12". Then import the file to the program Keychain. Now you should able to encrypt and sign messages with the mailaccount that matches the mailadress from the certificate. Works for me! I'm only wondering: how trusty is thawte.com? I mean, they're advertising with a head-tattooed tattooer!
 
That sucks that I have to use Mozilla. I deleted it cause it took too long to start up on my computer.

Well, I'll give it a try, thanks.

I agree that that's not a really easy way to use encryption in Mail. They should have a preference setting and allow you to import certs. Or at least open the keychain and tell you to import them that way.

Maybe in the next release they'll make it a bit better.
 
Really, who the heck uses X.509 certs anyway (OK, not many people use PGP, but more than use S/MIME with X.509). I'm surprised they wouldn't at least integrate GPG.

Makes sense they wouldn't use PGP though, that's now commercial software...
 
The Apple rep that was here a few weeks ago kept mentioning VeriSign certificates and how they worked with Mail.app under Panther… probably something you have to buy, though. I thought I remembered him mentioning something about GPG compatibility, but I could be wrong…
 
You must log in or register to reply here.
Back
Top